blob: 9ddc2094b6dfff5f0951e379647af23e66619a12 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
{ config, lib, pkgs, ... }:
with lib;
let
isMa1sd =
package:
lib.hasPrefix "ma1sd" package.name;
isMxisd =
package:
lib.hasPrefix "mxisd" package.name;
cfg = config.services.mxisd;
server = optionalAttrs (cfg.server.name != null) { inherit (cfg.server) name; }
// optionalAttrs (cfg.server.port != null) { inherit (cfg.server) port; };
baseConfig = {
matrix.domain = cfg.matrix.domain;
key.path = "${cfg.dataDir}/signing.key";
storage = {
provider.sqlite.database = if isMa1sd cfg.package
then "${cfg.dataDir}/ma1sd.db"
else "${cfg.dataDir}/mxisd.db";
};
} // optionalAttrs (server != {}) { inherit server; };
# merges baseConfig and extraConfig into a single file
fullConfig = recursiveUpdate baseConfig cfg.extraConfig;
configFile = if isMa1sd cfg.package
then pkgs.writeText "ma1sd-config.yaml" (builtins.toJSON fullConfig)
else pkgs.writeText "mxisd-config.yaml" (builtins.toJSON fullConfig);
in {
options = {
services.mxisd = {
enable = mkEnableOption "matrix federated identity server";
package = mkOption {
type = types.package;
default = pkgs.ma1sd;
defaultText = literalExpression "pkgs.ma1sd";
description = lib.mdDoc "The mxisd/ma1sd package to use";
};
environmentFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Path to an environment-file which may contain secrets to be
substituted via <package>envsubst</package>.
'';
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/mxisd";
description = lib.mdDoc "Where data mxisd/ma1sd uses resides";
};
extraConfig = mkOption {
type = types.attrs;
default = {};
description = lib.mdDoc "Extra options merged into the mxisd/ma1sd configuration";
};
matrix = {
domain = mkOption {
type = types.str;
description = lib.mdDoc ''
the domain of the matrix homeserver
'';
};
};
server = {
name = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
Public hostname of mxisd/ma1sd, if different from the Matrix domain.
'';
};
port = mkOption {
type = types.nullOr types.int;
default = null;
description = lib.mdDoc ''
HTTP port to listen on (unencrypted)
'';
};
};
};
};
config = mkIf cfg.enable {
users.users.mxisd =
{
group = "mxisd";
home = cfg.dataDir;
createHome = true;
shell = "${pkgs.bash}/bin/bash";
uid = config.ids.uids.mxisd;
};
users.groups.mxisd =
{
gid = config.ids.gids.mxisd;
};
systemd.services.mxisd = {
description = "a federated identity server for the matrix ecosystem";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = let
executable = if isMa1sd cfg.package then "ma1sd" else "mxisd";
in {
Type = "simple";
User = "mxisd";
Group = "mxisd";
EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
ExecStart = "${cfg.package}/bin/${executable} -c ${cfg.dataDir}/mxisd-config.yaml";
ExecStartPre = "${pkgs.writeShellScript "mxisd-substitute-secrets" ''
umask 0077
${pkgs.envsubst}/bin/envsubst -o ${cfg.dataDir}/mxisd-config.yaml \
-i ${configFile}
''}";
WorkingDirectory = cfg.dataDir;
Restart = "on-failure";
};
};
};
}
|